Mandatory data retention laws passed

The controversial Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 passed both houses of Parliament on 26 March 2015, the last sitting day before the budget.

This Act introduces a mandatory data retention scheme for certain carriers and carriage service providers such as Telstra, Optus, Vodafone and over 400-odd Australian internet service providers. The laws do not commence operation immediately but, as at 13 April 2015, a service provider must not reduce the period for which it keeps any data it will be required to be keep under the new laws.

The laws will impact on all Australians, unless you don’t use a telephone or the internet. Currently, the type of telecommunications data (or ‘metadata’) kept varied between service providers as did the length of time each type of data was retained. The data retention laws include an express requirement on service providers to ‘create’ data that falls within the data set to be retained even if they do not currently collect or capture that data.

The law as passed incorporates amendments made by the government following the report of the Parliamentary Joint Committee on Intelligence and Security. Some of these amendments addressed issues that had long been problematic in the existing regime. For example, the broad range of agencies that could access data including the RSPCA, Centrelink and local councils and how frequently data was accessed. Victoria Police reported it accessed telecommunications data on average 1200 times a week.

Enforcement agencies will continue to be able to access telecommunications data without a warrant, with one exception. In the narrow context of a request for data of a journalist for the purpose of identifying a source, a ‘journalist information warrant’ is required. There are serious concerns about the level of protection provided by this scheme.

At a practical level, in the context of a leak of information from a government department, for example, the enforcement agency could seek warrant-less access to the data of the potential sources rather than the journalist. Even when a journalist’s data is accessed to identify a source, the journalist will not be informed of the request and will not be able to provide instructions to the public interest advocate. Moreover, the law provides a very narrow description of who is a journalist limiting it to those working in ‘a professional capacity as a journalist’.

There will be a need to remain vigilant about the use of the flexibility that been built into the laws. Notably, the Minister can make a declaration to modify the:

set of data that must be retained;

services to which the data retention obligation applies;

list of authorities or bodies that are entitled to access telecommunications data.

(Any such declaration will come into force when it is made, and cease to have force at the end of a period of 40 sitting days. This is intended to give the Minister time to introduce a corresponding amendment to the Act into Parliament.)

What this will all cost in financial terms — as well as the impact on activists, professionals such as lawyers, doctors, our privacy, a free press and freedom of expression and association — remains unclear.

We do know that mandatory data retention is a global conversation. In March alone, data retention laws failed to pass the lower house in Paraguay, were suspended by the Dutch Court and invalidated in Bulgaria. There are judicial challenges to data retention in countries including Ireland, Sweden Hungary and England. While the laws may have passed, this story is certainly not over.

LEANNE O’DONNELL is a communications and policy lawyer at the Law Institute of Victoria. @MsLods